15 A clinical record fed into a diagnostic model is still protected health information. A pricing spreadsheet fed into a forecasting model is still a trade secret. A defense report fed into a retrieval index is still classified. AI storage for sensitive data is the discipline of keeping those classifications enforced from ingest through inference — through every embedding, every checkpoint, every prompt log, every backup copy. The data does not get less sensitive because it has been useful to a model. This guide is written for CISOs, security architects, and infrastructure leads who own AI workloads that touch protected health information (PHI), personally identifiable information (PII), intellectual property, or classified material. It covers the controls that matter, the encryption and key-management posture that holds, the retention rules that survive audit, and the role Scality ADI (Autonomous Data Infrastructure) plays at the storage tier. Why AI changes the sensitive data problem Sensitive data was already hard before AI. Regulators, boards, insurers, and security teams expected proof of residency, access control, retention, and recovery. The compliance frameworks — HIPAA, GDPR, CCPA, PIPL, CJIS, SEC 17a-4, DORA — were written for systems where a record had a clear owner, a defined access boundary, and a predictable lifecycle. AI workloads break that assumption. A model trained on mixed-sensitivity records inherits the highest sensitivity of any record it saw. A retrieval index built across tenants inherits the union of their access policies. A prompt log captures whatever the user pasted in, including the parts they should not have. The pipeline has many more surfaces than a transactional system, and each surface is a potential leak. That is the operating reality. The classification has to be carried by the storage layer, evaluated at every read, preserved through every lifecycle transition, and protected against the actors most likely to want to erase the evidence. Application-level controls are not enough. The substrate has to hold. What sensitive data actually means here Four categories cover most enterprise and government AI workloads. Protected health information (PHI). Patient identifiers, diagnoses, imaging, genomics, and treatment records under HIPAA in the United States, the European Health Data Space framework in the EU, and equivalent rules elsewhere. AI strains PHI controls by aggregating records across encounters, modalities, and institutions. Personally identifiable information (PII). Direct and indirect identifiers under GDPR, CCPA, PIPL, and the expanding global patchwork. Pseudonymized PII can re-identify when combined with embeddings, retrieval context, or model memorization, so the controls must travel with the derived artifacts as well as the raw records. Intellectual property and trade secrets. Source code, engineering specifications, contracts, research artifacts, and pricing models whose value depends on restricted disclosure. IP controls are usually weaker than personal data controls — a gap that code-assist and research-assist models have made painfully visible. Classified and controlled information. Formal national security classifications, controlled unclassified information (CUI), and sector-specific categories like CJIS in law enforcement. Classified workloads add the strictest requirements: cleared personnel, physical separation from anything below the classification level, and demonstrable enclave isolation. A defensible architecture for AI storage for sensitive data tags every object — datasets, model artifacts, embeddings, evaluation sets, inference logs — with its classification at write time and treats the tag as a first-class input to every access decision. Multi-tenant storage isolation is the foundational pattern; classification tags extend it from tenant boundaries to data-sensitivity boundaries. The four controls that hold up under audit When regulators, boards, or insurers ask for proof, they ask for the same four things. The storage layer has to produce evidence for each. Access control by classification, evaluated at the storage layer Every identity — human, service, or model — carries a clearance tag. Every object carries a classification tag. The storage layer evaluates one against the other on every read, every write, every administrative action. A user cleared for PII but not PHI cannot read a PHI bucket even if they request it. A pipeline approved for IP processing cannot ingest from a classified corpus unless an explicit, audited declassification flow says it can. The principle is straightforward; the discipline is in enforcing it consistently across S3 IAM policies, attribute-based conditions, and bucket-level access boundaries. Zero trust architecture is the broader pattern. Encryption with custody-aware key management Encryption at rest is table stakes. Encryption in transit is table stakes. The differentiator for regulated AI workloads is key custody. Keys protecting PHI should live in a jurisdiction that satisfies the data residency obligation. Keys protecting classified material should be held by cleared personnel in cleared infrastructure. Keys protecting IP should be revocable by the enterprise without a third-party support ticket. Encryption key management covers the foundational practices; the AI-specific twist is that key rotation has to extend to derived artifacts — checkpoints, embeddings, vector indexes — not just primary corpora. Retention that the storage layer enforces, not the application Retention rules under HIPAA, GDPR, SEC 17a-4, DORA, and classified frameworks are precise: this category of record must be retained for this many years, deleted on this trigger, and produced on this kind of legal request. The storage tier has to encode those rules where they cannot be silently bypassed. Object Lock retention policies, governed lifecycle transitions, and write-once-read-many (WORM) preservation move enforcement out of application logic and into the substrate. The retention promise survives a compromised application, a careless operator, and a malicious insider — because the storage layer is the policy enforcement point. Audit evidence that survives the incident it documents Audit logs are the deliverable. Every read, write, policy change, retention adjustment, classification edit, and administrative action is logged immutably, in a separate tenancy, with its own retention horizon. Object Lock on the audit bucket means the log cannot be modified by any actor — including a privileged administrator under coercion. Recovery procedures explicitly cover the audit corpus and verify the log chain through the recovery window. Storage audit trail covers the foundational pattern; for AI workloads, the lineage has to extend to every derived artifact so the evidence of “this model saw this classification” survives the model. Control What it enforces Audit evidence required Access by classification Identity clearance vs. object classification on every read Per-record access logs, denied-access logs, declassification approvals Encryption with key custody At rest, in transit, with jurisdictionally appropriate keys Key inventory, rotation logs, residency attestation Retention at the storage layer WORM, Object Lock, lifecycle preservation Retention policy diffs, deletion proofs, immutable lifecycle history Immutable audit Tamper-evident logging of every privileged action Log chain integrity, recovery-tested log corpus, separation-of-duties evidence The pattern repeats across HIPAA, GDPR, CCPA, PIPL, SEC 17a-4, DORA, and classified frameworks. The names differ; the substance does not. Where AI workloads put extra strain on these controls A few specific places where AI workloads stress these controls harder than a traditional system would. Training corpora aggregate sensitivity. A training set assembled from many records carries the maximum sensitivity of any contributor, not the average. The corpus needs the controls of its most sensitive member, and the lineage has to record which members went in. Embeddings and vector indexes are derived sensitive artifacts. A vector built from PHI is a PHI artifact. A retrieval index built from classified text is a classified artifact. Store them in tenancies whose controls match the source classification. Checkpoints and model weights memorize. A model that ingested classified text carries fragments of that text forward in ways that prompt extraction, membership inference, and output regurgitation can surface. The checkpoint inherits the source classification and belongs under the same retention, access, and immutability policy as the data that trained it. Logs capture what users paste. Prompt logs, evaluation traces, and inference telemetry routinely contain whatever the user sent in. Treat those logs as sensitive artifacts: classify, encrypt, retain on a defined schedule, and protect with Object Lock against tampering. Backups are still in scope. A backup copy of a PHI bucket is still PHI. The same classification, retention, and audit controls have to extend to every backup copy and every secondary site. How Scality ADI fits AI storage for sensitive data The storage layer is where the architecture either holds or unravels. Tags, policies, audit logs, retention rules, and recovery evidence all live there, and the integrity of that layer determines whether the rest of the controls have anything to defend. Scality ADI is data infrastructure for enterprise AI, cyber resilience, and sovereign control that autonomously and sustainably aligns the right storage media at multi-petabyte to exabyte scale. For regulated AI workloads, four properties of the platform matter directly. Sovereign control over location, custody, and inspection. Scality ADI exists for the data the cloud cannot handle on enterprise terms — hard residency requirements, AI workloads where egress at petabyte scale makes public cloud unworkable, and environments where boards or regulators require demonstrable control. PHI stays in jurisdiction. Classified material stays inside the enclave. IP stays inside enterprise custody. Residency, inspectability, and operational sovereignty are architectural properties, not vendor assurances. Cloud data sovereignty is the broader framing. Multi-tenant S3 with policy-governed access by classification. Scality ADI delivers cloud-native S3 behavior with multi-tenant data environments. Buckets, prefixes, object tags, IAM policies, attribute-based conditions, and Object Lock retention are first-class controls. Classification tags applied at write time travel with the object and are evaluated against the requester’s clearance on every read. Purpose limitation, clearance evaluation, and tenant isolation are enforced at the storage layer rather than in application code that can be rewritten or bypassed. CORE5 cyber resilience as audit infrastructure. Cyber resilience in Scality ADI is architectural. Protection, recoverability, and auditability are built into the platform rather than bolted on as an afterthought. CORE5 cyber resilience covers immutability, durability through erasure coding, metadata protection, multi-site protection, and policy-enforced lifecycle. Object Lock immutability protects classification tags, access logs, consent receipts, and deletion proofs from post-write modification. Metadata protection preserves the classification and purpose tags that policy depends on. Multi-site durability keeps evidence consistent across the geographies where regulators expect to find it. Cross-temperature lifecycle that preserves classification. Scality ADI spans four tiers under one operational model — GPU-Direct flash, hot QLC and NL-SSD, warm NL-HDD and HDD, and cold tape and cloud-adjacent archival. Sensitive records move through those tiers as access patterns change, but classification tags, encryption posture, retention rules, and audit lineage ride along. A PHI record on tape is subject to the same access policy as a PHI record on flash. A classified embedding archived for the long horizon retains the controls that bound it at creation. Scality ADI also acts as an immutable, high-scale S3 object target for the backup ecosystems — Veeam, Commvault, Rubrik, Atempo — that protect surrounding AI infrastructure. Backup copies inherit the same classification tags, encryption, retention, and immutability properties as the primary data. The frequent gap where backups sit outside the classification perimeter is closed by construction. See how Scality ADI delivers sovereign control for sensitive AI workloads Implementation best practices Tag at write time. Classification, jurisdiction, purpose, clearance level, and retention should be applied by the pipeline that writes the data, gated by policy, and treated as immutable thereafter. Retroactive classification under audit pressure is how mistakes become incidents. Make the storage layer the enforcement point. Application-level checks are convenient and easy to bypass. Enforce at the object store with IAM, attribute conditions, and Object Lock so the same decision applies to every workload, pipeline, and identity. Extend controls to derived artifacts. Training corpora, model checkpoints, embeddings, evaluation sets, inference logs, and prompt traces inherit the classification of their inputs. Store them where the controls match. Treat audit logs as the most sensitive data you own. Separate tenancy, strictest retention, highest durability, longest recovery-test cadence. When a regulator asks for evidence, the evidence has to be there. Recover the policy state alongside the data. Ransomware events, misconfigurations, and operator errors can wipe IAM, classification tags, retention rules, and audit logs as easily as data. Recovery procedures should restore the full policy state and verify continuity through the recovery window. Frequently asked questions What is AI storage for sensitive data? AI storage for sensitive data is the set of storage controls — classification tagging, access enforcement, encryption with key custody, retention, and immutable audit — that keep PHI, PII, intellectual property, and classified material defensible across the full AI lifecycle, from ingest through training, retrieval, inference, and long-term retention. Which regulations matter most? HIPAA and the European Health Data Space framework for PHI; GDPR, CCPA, and PIPL for PII; SEC 17a-4 and DORA for financial-services material; CJIS for law enforcement; and the relevant national frameworks for classified and controlled information. The technical controls — access by classification, encryption with custody-aware keys, enforced retention, immutable audit — are common across all of them. Why does immutability matter for AI on sensitive data? Immutability protects the audit evidence that proves the controls worked. Access logs, classification edits, retention adjustments, consent receipts, and deletion proofs all need to survive ransomware, insider tampering, and privileged-account compromise. Without Object Lock or equivalent immutability, the first thing a competent attacker does is edit the logs. How does Scality ADI support AI storage for sensitive data? Scality ADI delivers sovereign control over where sensitive data lives, multi-tenant S3 with policy-governed access by classification, CORE5 cyber resilience for tamper-evident audit and deletion evidence, and a cross-temperature lifecycle that preserves classification tags and access controls from active processing to long-term archival. Further reading Multi-tenant storage isolation — tenancy as the foundation for classification-scoped storage Zero trust architecture — identity-bound access patterns that extend to classification Cloud data sovereignty — keeping sensitive AI workloads under enterprise jurisdiction Storage audit trail — defensible audit evidence at the storage layer CORE5 cyber resilience solution — Scality’s five-pillar cyber resilience architecture HIPAA-compliant storage — PHI controls at the storage tier Encryption key management — custody-aware key practices for regulated workloads
